Internet of Things Policy
Version 1.4
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure the confidentiality, integrity, and availability of the University’s IT Resources by regulating the use of Internet of Things (IoT) devices and connecting them to the appropriate University network.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- In support of University functions, the Faculty/Staff must make an official request to use an IoT device or collection of devices specified in the Internet of Things for Faculty/Staff Networks procedure.
- All other Users must request IoT device connections per the Internet of Things for Public Networks procedures.
- The University has classified the IoT networks into the following groups:
- Administrative/Restricted (i.e., University-owned and managed devices, contracted services),
- Building management systems (e.g., specialized instruments, HVAC, elevators),
- Community devices owned and operated by faculty or staff (e.g., televisions, Apple TV®, Chromecast™), or
- Student-owned devices on the public network.
- Faculty/Staff IoT device requests must be reviewed and connected to the appropriate network as deemed necessary by Information Security and Assurance and DevOps Infrastructure Services.
- IoT devices must only be connected to a segregated and controlled network segment.
- IoT networks must be monitored to identify abnormal traffic and emergent threats.
- IoT devices should have a process for updating software and hardware firmware as stated in the Vulnerability Management Policy, as applicable.
Definitions
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
The Internet of Things are physical objects (e.g., vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators) that communicate, sense, or interact with their internal states or the external environment via network connectivity.
Related Policies and Procedures
- Internet of Things Procedure for Faculty/Staff
- Internet of Things Procedure for Public Network
- Vulnerability Management Policy
Implementation Information
Review Frequency | Annual |
---|---|
Responsible Person | Senior Director of IT Security and Assurance |
Approved By | CISO |
Approval Date | 09/12/2018 |
Revision History
Version
|
Date
|
Description
|
---|---|---|
1.0
|
09/12/2018
|
Initial document
|
1.1
|
01/05/2020
|
Updated policy statement
|
1.2 | 10/06/2020 | Updated purpose and policy statement |
1.3 | 10/13/2021 | Updated policy statement |
1.4 | 11/20/2023 | Updated policy statement, scope, and disclaimer |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.